OpenFGA CVE-2026-55689
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attacker needs a valid token from the shared issuer (PR:L), reaches the API over the network (AV:N/AC:L), and gains full read/write to authorization data (C:H/I:H), with no availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionNVD
Description
OpenFGA's OIDC authenticator skipped JWT audience (aud) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA.
Preconditions
This applies if the following preconditions are met:
- You run OpenFGA with
authn.methodset tooidc. - You configured
authn.oidc.issuerbut did not set
authn.oidc.audience (--authn-oidc-audience / OPENFGA_AUTHN_OIDC_AUDIENCE).
Fix
Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in oidc mode unless both authn.oidc.issuer and authn.oidc.audience are set, and the aud claim is always validated.
Acknowledgements
OpenFGA would like to thank https://github.com/0xVijay for the report.
AnalysisAI
Authentication bypass in OpenFGA versions 1.17.1 and earlier allows a validly-signed JWT issued for an unrelated service to authenticate to OpenFGA, because the OIDC authenticator silently skipped JWT audience (aud) validation whenever authn.oidc.audience was left unset. Any deployment using authn.method=oidc with a configured issuer but no configured audience trusts every token minted by that issuer, so an attacker holding a legitimate token for a different service behind the same identity provider gains full access to OpenFGA's authorization data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires OpenFGA to be deployed with authn.method set to oidc and authn.oidc.issuer configured while authn.oidc.audience (--authn-oidc-audience / OPENFGA_AUTHN_OIDC_AUDIENCE) is left unset - this exact non-default combination is what disables aud validation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) indicates a network-reachable, low-complexity bypass requiring some pre-existing privilege - consistent with the attacker needing a legitimate token from the shared issuer rather than nothing at all (PR:L, not PR:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization runs OpenFGA in oidc mode sharing a corporate identity provider with several internal apps, and never set authn.oidc.audience. An attacker who legitimately holds (or obtains) a validly-signed token issued by that IdP for an unrelated internal service presents it to OpenFGA's API; because the aud claim is not checked, the token is accepted and the attacker can read and modify authorization tuples. … |
| Remediation | Vendor-released patch: upgrade OpenFGA to 1.18.0 or greater (release https://github.com/openfga/openfga/releases/tag/v1.18.0, fix commit 44596773b2e62738720ef215bf7fa04352954271); Helm chart users should move to openfga-0.3.9 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all OpenFGA instances running version 1.17.1 or earlier using OIDC authentication without an explicit audience value configured-these deployments accept tokens from any service using the same identity provider. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hcxc-wf8j-23hv